General
-
Target
XClient.exe
-
Size
81KB
-
Sample
250120-z4kqjszkcj
-
MD5
75c36e72847b9bc3cc674eac06c44565
-
SHA1
a42206858b46997eb8f702539ddfa77c300c82a9
-
SHA256
a78098fb2b94571b85c7dce87af0cb9d8458b6d4e223ddb7fd633d81cae07462
-
SHA512
5d9ec6a2af00a1e10836e433d85e0b1facef17548f96c2513317a2386a136fd86d2d8e951199ebca9093a1a36c457d2a04435d5ffca9a60c19f06cb241e55ca4
-
SSDEEP
1536:33/nZzjyT2tJkzLIUnBjUthHE9bAMz/NFbs6WrNykOy5RjsmY:fnMStJk3IMUE9bd7/bSDOyL1Y
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/sZpRUbiu
-
telegram
https://api.telegram.org/bot7704029346:AAHPre1lXQa0UfPCpOUXJZ9UXA9mFxvH4Gk/sendMessage?chat_id=7590668020
Targets
-
-
Target
XClient.exe
-
Size
81KB
-
MD5
75c36e72847b9bc3cc674eac06c44565
-
SHA1
a42206858b46997eb8f702539ddfa77c300c82a9
-
SHA256
a78098fb2b94571b85c7dce87af0cb9d8458b6d4e223ddb7fd633d81cae07462
-
SHA512
5d9ec6a2af00a1e10836e433d85e0b1facef17548f96c2513317a2386a136fd86d2d8e951199ebca9093a1a36c457d2a04435d5ffca9a60c19f06cb241e55ca4
-
SSDEEP
1536:33/nZzjyT2tJkzLIUnBjUthHE9bAMz/NFbs6WrNykOy5RjsmY:fnMStJk3IMUE9bd7/bSDOyL1Y
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1